caq (2010) anti fraud report

8/8/2019 CAQ (2010) Anti Fraud Report

1/55

DeteRRig nd Detectig

Fiacial RePORtig FRauD

A Platform for ActionOctober 2010


2/55

b A PLATFORM FOR ACTION AGAINST FINANCIAL REPORTING FRAUD

THE CENTER FOR AUDIT QUALITY AND ITS VISION

The Center or Audit Quality (CAQ) is dedicated to enhancing investor confdence

and public trust in the global capital markets by:

Fostering high-quality perormance by public company auditors

Convening and collaborating with other stakeholders to advance the

discussion o critical issues requiring action and intervention

Advocating policies and standards that promote public company auditors

objectivity, eectiveness, and responsiveness to dynamic market conditions

The CAQ is an autonomous public policy organization based in Washington, D.C.

It is governed by a board comprised o leaders rom the public company audit frms,

the American Institute o Certifed Public Accountants (AICPA), and three individuals

independent o the proession. The organization is afliated with the AICPA.

ABOUT THIS REPORT

This report ocuses on fnancial reporting raud at publicly-traded companies o all

sizes, and its recommendations are intended to be scalable to dierent situations.

While the report addresses specifc structures, such as an internal audit unction or

a ormal raud risk management program, it is not intended to suggest that onesize fts all, or to be limited to any single implementation approach. It is important

that each company consider the concepts presented and tailor them to its particu-

lar characteristics. While not the specifc ocus o this report, many o the points

may be applicable to other types o organizations, such as privately-owned compa-

nies, not-or-proft organizations, and governmental entities.

ACKNOWLEDGEMENTS

We would like to thank all those who participated in the discussions and interviews,

and the drating o this document; this report would not have been possiblewithout you. We appreciate the wisdom shared throughout this process. While

there are too many who contributed to name, we would like to mention one

Elizabeth Rader, director at Deloitte LLP or her immense contribution in

reviewing the material and drating this report.


3/55

DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION i

On behalf of the Center for Audit Quality (CAQ), we are pleased to present this report onDeterring

and Detecting Financial Reporting FraudA Platform for Action. Financial reporting rauddefned

or this report as a material misrepresentation resulting rom an intentional ailure to report fnancial

inormation in accordance with generally accepted accounting principlesis a serious concern or investors

and other capital market stakeholders. There is no way to predict who will commit raud. Moreover, because

raud is intentionally concealed by the perpetrators, it oten is dicult to detect or some time. Multiple cases

o fnancial reporting raud have undermined confdence in the U.S. capital markets in the past ew decades.

The CAQ is committed to enhancing investor confdence and public trust in the capital markets. We advocate

policies and standards that oster the highest-quality perormance by public company auditors, and we act as

a convener and collaborator with other stakeholders to oster inormed discussions on issues pertaining to

the integrity o fnancial reporting.

During 2009 and early 2010, the CAQ sponsored a series o discussions and in-depth interviews to obtain

perspectives on raud deterrence and detection measures that have worked, and on ideas or new approaches.

The participants included the ull spectrum o stakeholders with an interest in the integrity o fnancial reports

o publicly-traded companies: corporate executives, members o boards o directors and audit committees,

internal auditors, external auditors, investors, regulators, academics, and others.

This report is the result o those discussions and interviews, considered in light o related research and

guidance on the topic. The report contains numerous ideas or mitigating the risk o fnancial reporting

raud, as well as points to ponder. Notably, discussion participants strongly believe that ongoing collabora-

tion and the collective sharing o ideas and resources would greatly advance eorts to mitigate fnancial

reporting raud.

Accordingly, this report represents a frst step in longer-term initiatives and collaborations or the deter-

rence and detection o fnancial reporting raud, to beneft investors and other participants in the capital mar-

kets. The CAQ plans to play a leadership role in encouraging collaborative action to advance the understanding

o conditions that contribute to raud and develop enhanced deterrence and detection techniques and tools or

all participants in the fnancial reporting process, including management, boards o directors, audit commit-

tees, internal auditors, and external auditors. We intend these eorts to complement the activities o the Public

Company Accounting Oversight Boards (PCAOB) Financial Reporting Fraud Resource Center, and look or-

ward to opportunities or collaboration with the Center.

We are delighted to announce that Financial Executives International, The Institute o Internal Auditors,

and the National Association o Corporate Directors, organizations that already are actively engaged in eorts

to mitigate the risk o fnancial reporting raud, plan to collaborate with the CAQ on these initiatives.

We hope this report provides ood or thought and spurs stakeholders to leverage our resources to advance

the deterrence and detection o fnancial reporting raud. We look orward to working with all interested parties

in the uture.

Michele J. Hooper Cynthia M. Fornelli

Co-Vice Chair, Governing Board Executive Director

Center for Audit Quality Center for Audit Quality


4/55


5/55

DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION iii

Contents

Executive Summary v

Prologue Financial Reporting Fraud: What It Is and 1

Why the Center or Audit Quality Cares

Chapter 1 Understanding the Landscape 3

Chapter2 Tone at the Top: The Power o Corporate Culture 10

Chapter3 Skepticism: An Enemy o Fraud 19

Chapter 4 Communications: Knowledge Sharing to 26

Deter and Detect Fraud

Chapter 5 The Case or Collaboration: Increasing Eectiveness 30

Across the Financial Reporting Supply Chain

Endnotes 33

Appendix 1 Participants in CAQ Discussions and In-Depth Interviews 35

Appendix 2 Bibliography 39

Appendix 3 Methodological Statement 43


6/55


7/55

DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION v

Executive Summary

On a number o occasions over the past ew decades, major

public companies have experienced fnancial reporting

raud, resulting in turmoil in the U.S. capital markets, a loss

o shareholder value, and, in some cases, the bankruptcy o

the company itsel. The Sarbanes-Oxley Act o 2002 has

done much to improve corporate governance and deter

raud; however, fnancial reporting raudan intentional,

material misrepresentation o a companys fnancial state-

mentsremains a serious concern or investors and other

capital markets stakeholders.

In 2009, the Center or Audit Quality (CAQ), which is

committed to enhancing investor confdence and public

trust in the capital markets, convened fve roundtable dis-

cussions (our in the United States, one in London) with

more than 100 participants, ollowed by more than 20 in-

depth interviews, in order to capture perspectives on raud

deterrence and detection measures that have worked and

ideas or new approaches. The participants included corpo-

rate executives, members o boards o directors and audit

committees, internal auditors, external auditors, investors,

regulators, academics, and others.

The observations in this report are derived rom those

discussions and interviews, considered in light o related

research and guidance on the topic. The report contains

ideas or mitigating the risk o fnancial reporting raud, as

well as related points to ponder. It represents a frst step in

advancing longer-term initiatives and collaborations or

the deterrence and detection o fnancial reporting raud,

to beneft investors and other participants in the capital

markets.

Understanding the Landscape

The Fraud Triangle. Theoretically, anyone has the poten-

tial to engage in fnancial reporting raud; indeed, some

individuals who commit raud had previous reputationsor high integrity. Three actors, reerred to as the raud

triangle, oten combine to lead individuals to commit

raud: pressure or an incentive to engage in raud; a per-

ceived opportunity; and the ability to rationalize raudu-

lent behavior.

Participants in the CAQ discussions identifed the top

three pressures or raud as personal gain (including maxi-

mizing perormance bonuses and stock-based compensa-

tion); the need to meet short-term fnancial expectations;

and a desire to hide bad news. Opportunities or raud usu-

ally are greatest when the tone at the top is lax or controlsare ineective, although even the best controls cannot com-

pletely eliminate the risk o raud. Finally, individuals who

commit fnancial reporting raud must be able to justiy or

explain away their raudulent actions.

Typically, fnancial misstatement or manipulation starts

small, intended as just a little adjustment to improve re-

sults. But as the need to maintain the deception continues,

one misstatement leads to another until the perpetrator is

locked in, loses objectivity, and heads down the slippery

slope to commit major raud.

Historically, most major fnancial statement rauds haveinvolved senior management, who are in a unique position

to perpetrate raud by overriding controls and acting in col-

lusion with other employees. When raud occurs at lower

levels in an organization, individuals may not initially realize

that they are committing raud; they may see themselves as

simply doing what is expected to make their numbers.


8/55

vi DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION

The Financial Reporting Supply Chain. Management,

boards o directors, audit committees, internal auditors, and

external auditors make up the public company fnancial re-

porting process or supply chain and have complementary

and interconnected roles in delivering high-quality fnancial

reporting to the investing public, including the deterrenceand detection o raud.

Management has primary responsibility or the fnancial

reporting process and or implementing controls to deter

and detect fnancial reporting raud. Boards o directors and

audit committees are responsible or oversight o the busi-

ness and the control environment. The audit committee

oversees the fnancial reporting process, the internal audit

unction, and the companys external auditors.

Internal auditors play a key role in a companys internal

control structure and have a proessional responsibility to

evaluate the potential or the occurrence o raud and howthe organization manages raud risk. External auditors must

be independent o the company they audit and provide a pub-

lic report on the entitys annual fnancial statements, includ-

ingor U.S. public companies with $75 million or more in

market capitalizationan opinion on the eectiveness o the

entitys internal control over fnancial reporting.

Fraud Deterrence and Detection

How can those in the fnancial reporting supply chain indi-

vidually and collaboratively mitigate the risk o fnancial

reporting raud? While there is no silver bullet, the CAQ

discussion participants consistently identifed three themes:

A strong, highly ethical tone at the top that permeates the

corporate culture (an eective raud risk management

program is a key component o the tone at the top)

Skepticism, a questioning mindset that strengthens pro-

essional objectivity, on the part o all participants in the

fnancial reporting supply chain

Strong communication among supply chain participants

Tone at the top. A strong ethical culture starts at the top

with a companys most senior leaders and cascades through

the entire organization to create, in the words o a CAQ dis-

cussion participant, a mood in the middle and a buzz at

the bottom that reect and reinorce the tone at the top.

Corporate culture inuences all three sides o the raud tri-

angle. A strong ethical culture creates an expectation to do

the right thing and counteracts pressure and incentives to

commit raud. An ethical culture also supports well-designed,

eective controls that diminish opportunities or raud and

increase the likelihood that raud will be detected quickly. In

addition, a culture o honesty and integrity severely limits an

individuals ability to rationalize raudulent actions.CAQ discussion participants agreed that management

plays the most critical role in building a strong ethical cul-

ture. They emphasized that, to do so, senior management

must clearly communicate ethical expectations and visibly

live by them. Importantly, employees need to hear the same

messages rom their immediate supervisors, because they

have the most powerul and direct inuence on the ethical

judgments o their employees.

Tone at the top is reinorced through the establishment

o a comprehensive raud risk management program with a

readily accessible confdential whistleblower program. Inact, studies show that raud most oten is detected through

tips. In multinational organizations, it is critical that ethics

and raud deterrence programs also account or cultural

dierences.

Boards and audit committees support and reinorce the

tone at the top in part by choosing the right management

team. Audit committees oversee the fnancial reporting

process, including monitoring raud risk and the risk o

management override o controls. Boards, through the com-

pensation and audit committees, also reinorce the compa-

nys ethical values by reviewing compensation plans,especially those or senior management, or unintentional

incentives to commit fnancial reporting raud.

The internal audit unction tests and monitors the design

and eectiveness o raud programs and internal control

over fnancial reporting. According to The Institute o Inter-

nal Auditors (The IIA), internal audit should operate with

organizational independence, which commonly includes di-

rect reporting to the audit committee and unrestricted ac-

cess to the board and audit committee should matters o

concern arise. External auditors have the responsibility to

plan and perorm an audit to obtain reasonable assurance

that the fnancial statements are ree o material misstate-

ment, whether caused by error or raud.

Skepticism. Skepticism involves the validation o inorma-

tion through probing questions, the critical assessment o

evidence, and attention to inconsistencies. Skepticism is not

an end in itsel and is not meant to encourage a hostile atmo-


9/55

DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION vii

sphere or micro-management; it is an essential element o

the proessional objectivity required o all participants in the

fnancial reporting supply chain. Skepticism throughout the

supply chain increases not only the likelihood that raud will

be detected, but also theperception that raud will be detect-

ed, which reduces the risk that raud will be attempted.CAQ discussion participants noted that management ex-

ercises skepticism by periodically testing assumptions about

fnancial reporting processes and controls, and remaining

cognizant o the potential or raud, particularly i the orga-

nization is under fnancial pressure. They emphasized the

importance o having boards and audit committees employ a

skeptical approach in discharging their oversight responsi-

bilities. To exercise skepticism eectively, board and audit

committee members need a thorough knowledge o the

companys business (especially the drivers o its revenue and

proftability), its industry and competitive environment, andkey risks.

For both internal and external auditors, skepticism is an

integral part o the conduct o their proessional duties, in-

cluding the consideration o the risk o management over-

ride o controls. Internal and external auditors can also

provide insight into the companys ethical culture and the

eectiveness o its internal controls to assist board and audit

committee members in exercising skepticism.

Communication Across the Financial Reporting Supply

Chain. Participants in the CAQ discussions stressed that f-nancial reporting supply chain participants should leverage

their complementary and interconnected responsibilities

through requent and robust communications to share in-

sights and eliminate gaps in their collective eorts.

The audit committee is a hub or many o these commu-

nications because it has direct reporting lines rom manage-

ment, the internal auditor, and the external auditor. In

addition to regular communications with these groups, ex-

ecutive sessions with each o them, as well as with selected

key employees, can be a valuable tool or boards and audit

committees to obtain a broad perspective on the companys

fnancial reporting environment. Also, regular communica-

tion among management, the internal auditor, and the exter-

nal auditor is integral to the accomplishment o each partys

responsibilities.

Together, these communications enable the sharing o in-

ormation, perspectives, and concerns that provide a view

into the company that is greater than the sum o its parts.

Open and robust exchanges that consciously strive to avoid

minimalist, compliance-oriented discussions will yield max-

imum benefts or all parties.

The Case for Collaboration: Increasing

Effectiveness Across the Financial Reporting

Supply Chain

CAQ discussion participants agreed that while supply

chain participants work to deter and detect fnancial re-

porting raud one company at a time, the collective sharing

o ideas and resources would greatly advance eorts to

mitigate fnancial reporting raud.

The CAQ believes that such collaboration would indeed

enhance the ability o participants in the fnancial reporting

supply chain to deter and detect fnancial reporting raud

and thereby sustain and enhance confdence in the capitalmarkets over the long term. In addition to the discussion

participants, the CAQ sought input on this report rom

Financial Executives International (FEI), the National As-

sociation o Corporate Directors (NACD), and The IIA, or-

ganizations that already are actively engaged in eorts to

mitigate the risk o fnancial reporting raud. Each o these

organizations provided signifcant support and insights, and

expressed interest in urther collaboration.

In light o the positive reception this eort has received

and the importance o this issue to investor confdence, the

CAQ plans to play a leadership role by encouraging contin-ued collaboration with these key stakeholders (and other

proessional organizations where appropriate) to leverage

existing resources, share ideas, and prioritize uture activi-

ties to advance the deterrence and detection o fnancial re-

porting raud. We will ocus our initial eorts in our areas:

Advance the understanding o conditions that contrib-

ute to raud

Promote additional eorts to increase skepticism

Moderate the risks o ocusing only on short-term

results Explore the role o inormation technology in acilitat-

ing the deterrence and detection o raudulent fnancial

reporting

These areas represent the beginning o a ocused and coor-

dinated eort to mitigate the risk o fnancial reporting

raud and the damage it can cause to individual companies

and the capital markets.


10/55


11/55

DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION 1

P R O L O G U E

Financial Reporting FraudWhat It Is and Why the Center for Audit Quality Cares

Over the past ew decades, multiple headline-grabbing cases

o fnancial reporting raud at public companies have rocked

the capital markets. These rauds have a negative impact onthe capital markets and erode the trust o the investing pub-

lic. Financial reporting raud can also have a devastating im-

pact on a companys reputation, to the point o jeopardizing

its existence.

The Sarbanes-Oxley Act o 2002 (the Sarbanes-Oxley

Act or the Act) was enacted in response to the corporate

scandals o the late 1990s and early 2000s, which resulted in

major losses or investors and a precipitous decline in inves-

tor confdence in the U.S. capital markets. The requirements

o the Sarbanes-Oxley Act were intended to strengthen pub-

lic companies internal controls over fnancial reporting andhave served to sharpen the ocus o senior management,

boards o directors, audit committees, internal audit depart-

ments, and external auditors on their responsibilities or re-

liable fnancial reporting. Although it is generally accepted

that the Sarbanes-Oxley Act has improved corporate gover-

nance and decreased the incidence o raud, recent studies

and surveys indicate that investors and management con-

tinue to have concerns about fnancial statement raud. For

example:

The Association o Certifed Fraud Examiners (ACFE)

2010 Report to the Nations on Occupational Fraud and

Abuse ound that fnancial statement raud, while repre-

senting less than fve percent o the cases o raud in its

report, was by ar the most costly, with a median loss o

$1.7 million per incident.

Fraudulent Financial Reporting: 19982007rom the Com-

mittee o Sponsoring Organizations o the Treadway

Commission (the2010COSO Fraud Report), analyzed 347

rauds investigated by the U.S. Securities and Exchange

Commission (SEC) rom 1998 to 2007 and ound that the

median dollar amount o each instance o raud had in-creased three times rom the level in a similar 1999 study,

rom a median o $4.1 million in the 1999 study to $12 mil-

lion. In addition, the median size o the company involved

in raudulent fnancial reporting increased approximately

six-old, rom $16 million to $93 million in total assets and

rom $13 million to $72 million in revenues.

A 2009 KPMG survey o 204 executives o U.S. compa-

nies with annual revenues o $250 million or more ound

that 65 percent o the respondents considered raud to be

a signifcant risk to their organizations in the next year,

and more than one-third o those identifed fnancial re-

porting raud as one o the highest risks.1

Fity-six percent o the approximately 2,100 business

proessionals surveyed during a Deloitte Forensic Cen-

ter webcast about reducing raud risk predicted that

more fnancial statement raud would be uncovered in

2010 and 2011 as compared to the previous three years.

Almost hal o those surveyed (46 percent) pointed to

the recession as the reason or this increase.2

Because raud can have such a devastating impact, the CAQ,

consistent with its mission, convened fve roundtable dis-

cussions in 2009. Representatives o all stakeholders aect-

ed by raud were able to share perspectives, experiences,

successul anti-raud measures, and ideas or new approach-

es. The participants in these discussions included, among

others, corporate executives, members o boards o directors

and audit committees, internal auditors, external auditors,

raud specialists, investors, regulators, and academics. In or-


12/55

2 DETERRING AND DETECTING FINANCIAL REPORTING FRAUD: A PLATFORM FOR ACTION

The Sarbanes-Oxley Act Legislation for Strong Governance and Accountability

The Sarbanes-Oxley Act of 2002 was enacted in response to the corporate scandals of the late 1990s and early 2000s. The Act

mandated signicant reforms to public companies governance structures and the oversight of public company accounting rms.

Many of its requirements were intended to raise the standard of corporate governance and mitigate the risk of fraudulent nan-

cial reporting. In particular, the Act:

Reinforces the responsibility of corporate ofcers for the accuracy and completeness of corporate nancial reports, and adds a

requirement for the public certication of each periodic report led with the SEC that includes nancial statements. The chief

executive ofcer and chief nancial ofcer must certify that each such periodic report complies with the requirements of the Se-

curities Exchange Act of 1934 and that the nancial statements are fairly presented

Establishes criminal penalties for a willful and knowing untrue certication

Provides for the disgorgement of the bonuses and prots of executives involved in fraudulent nancial reporting

Requires evaluations and increased disclosures of a companys internal control over nancial reporting by management, and

a related report by the external auditor for certain companies

Requires other enhanced disclosures, including whether the company has a code of ethics for senior nancial ofcers

Enhances the role of the audit committee, including requirements for nancial expertise and responsibility for oversight of

the companys external auditor

Requires companies to establish whistleblower programs, and makes retaliation against whistleblowers unlawful

These provisions are generally held to have helped reduce nancial reporting fraud and to serve as an ongoing deterrent to such

fraud. Several CAQ discussion participants emphasized the deterrent effect of the criminal penalties for untrue certications by

the CEO or CFO.

der to acilitate a ree ow o ideas, the roundtable discus-

sions were conducted with no public attribution o com-

ments to individual participants. These discussions were

ollowed in early 2010 by in-depth interviews with more

than 20 o the roundtable participants conducted by an in-

dependent research frm. The interviews delved urther intothe insights and observations o individual participants in

the discussion groups, and participants agreed to be quoted

in this report. The discussions and interviews ocused on a

particular subset o rauds, those that are material and in-

volve a public companys fnancial reports. Other types o

raud, such as the misappropriation o assets, were outside

the scope o the discussions.

The observations and areas o ocus in this report are de-

rived rom these discussions and interviews. Throughout

this report, where observations indicate that participants

agreed on a particular point, it is meant to indicate general

consensus, not necessarily that there was unanimity. The in-

sights rom the discussions were considered in light o re-

lated research, and they include both specifc ideas or

consideration by individual stakeholder groups, as well asseveral longer-term proposals or collaboration among all

stakeholders. Together, these proposals represent the begin-

ning o a long-term eort to advance the deterrence and de-

tection o fnancial reporting raud, with the ultimate goal o

benefting investors, other users o fnancial reports, and

participants in the capital markets. This report and the ideas

generated rom it are intended to serve as a springboard or

ongoing collaboration among all stakeholders to diminish

the risk o fnancial reporting raud.


13/55


C H A P T E R 1Understanding the Landscape

Why Commit FraudThe Seductive Triangle

Three conditions typically are present when individuals

commit raud: pressure or an incentive to engage in raud, aperceived opportunity, and the ability to

rationalize raudulent behavior. This

raud triangle was frst developed by

noted twentieth century criminologist

Donald Cressey.3 These three condi-

tions may exist whether the economy is

strong or weak, and, accordingly, raud

can be committed in both good times

and bad. How then do these actors mo-

tivate raud?

Pressure to commit fraud. Pressure

can be either a positive or a negative

orce. When goals are achievable,

pressure contributes to creativity, eciency, and competi-

tiveness. However, temptations or misconduct arise when

goals do not appear to be attainable by normal means, yet

Pressure

FRAUD

RationalizationOpportunity

The Fraud Triangle

pressure continues unabated, with career advancement,

compensation, and even continued employment at risk.

When pressure is transormed into an obsessive determi-

nation to achieve goals no matter what the cost, it becomesunbalanced and potentially destruc-

tive. That is when individuals are most

likely to resort to questionable activi-

ties that may lead to raud.

Participants in the CAQ roundtable

discussions and interviews identifed

the top three motivators or raud as

personal gain (including maximizing

perormance bonuses and the value o

stock-based compensation); achieving

short-term nancial goals (either in-ternal targets or external analyst ex-

pectations); and hiding bad news rom

investors and the capital markets. Sim-

ilarly, the 2010 COSO Fraud Report ound that the most

commonly cited motivations or fnancial statement raud

were the need to meet internal or external earnings ex-

There is a pressure at an individual

level which I think is signifcantly

associated with compensation

arrangements in the organization.

There is also pressure at a corporate

level, when there is a negative

economic environment that makes

targets much harder to achieve.

Both can create powerul incentives

or fnancial statement raud.

Ian Ball,Chief Executive Ofcer,

International Federation of Accountants


14/55


pectations, an attempt to conceal the

companys deteriorating fnancial con-

dition, the need to increase the stock

price, the need to bolster fnancial per-

ormance or pending equity or debt

fnancing, or the desire to increasemanagement compensation based on

fnancial results. Interestingly, aca-

demic research indicates that the de-

sire to recoup or avoid losses is much more likely to moti-

vate an individual to engage in activities that could lead to

raud than the desire or personal gain.4

Other research has ound that executives and mid-level

managers eel that they ace continual pressure to meet busi-

ness objectives as well as the short-term fnancial goals o

analysts and investors. In the KPMG 20082009 Integrity

Survey, 59 percent o managers and employees acknowl-edged eeling pressure to do whatever it takes to meet busi-

ness targets; 52 percent believed that

they would be rewarded based on re-

sults rather than the means used to

achieve them; and 49 percent eared los-

ing their jobs i they missed their targets.

Consistent with comments rom multi-

ple CAQ discussion participants, several

recent academic studies have ound that

executives at companies accused o f-

nancial reporting raud ace greater f-nancial incentives to increase stock price, in the orm o stock

or option holdings, than executives at companies where raud

was not ound. The studies indicate that

the motivation or raud is oten to in-

crease or prevent a decrease in stock

price.5

Financial misstatement or manipula-

tion oten starts small, intended as just alittle adjustment to meet earnings tar-

gets or give the company time to im-

prove results. Initially, the individual in-

volved may not even consider what is done to be unacceptable

or raudulent. But as the need to maintain the deception con-

tinues, one adjustment leads to another and the scope o the

raud expands until the perpetrator is locked in and headed

down the slippery slope to major raud.

Opportunity for fraud. Even when pressure is extreme,

fnancial reporting raud cannot occur unless an opportu-nity is present. Opportunity has two aspects: the inherent

susceptibility o the companys ac-

counting to manipulation, and the con-

ditions within the company that may

allow a raud to occur. The nature o

the companys business and account-

ing can provide sources o opportunity

or raud in the orm o signifcant re-

lated-party transactions outside the

ordinary course o business; a large

volume o estimates o assets, liabili-ties, revenues, or expenses that are subjective or dicult to

corroborate; and isolated, large transactions. Some large

transactions, especially those close to period-end, can pose

complex substance over orm questions that provide

opportunities or management to engage in raudulent

reporting.6

The opportunity or raud is also aected by a companys

internal environment, which is largely inuenced by the en-

titys culture and the eectiveness o its internal controls.

Strong controls can signifcantly limit possibilities or the

manipulation o results or or raudulent transactions. It is

important to maintain a sharp ocus on controls in both good

and bad economic times. When results are strong and mar-

kets are up, there can be a tendency toward complacency,

with diminished ocus on internal controls and reduced

scrutiny o results. In tough economic times, companies try-

ing to do more with less may cut budgets in areas that com-

promise the eectiveness o internal controls. Both the

Perceived Root Causes of Misconduct

(a survey of 5,065 working adults)

Pressure to do whatever it takes to meet business 59%

targets

Believe will be rewarded for results, not means 52%

Believe code of conduct not taken seriously 51%Lack familiarity with standards for their jobs 51%

Lack resources to get job done without cutting corners 50%

Fear losing job if miss targets 49%

Believe policies easy to bypass or override 47%

Seek to bend rules for personal gain 34%

KPMG LLP (U.S.) Integrity Survey 20082009

I think most people who come

unstuck in this context o accounting

misstatement are basically honest

people who get caught up and

then they get desperate.

Jonathan Fisher QC, Barrister,

23 Essex Street Chambers; Trustee,

Fraud Advisory Panel

When we are talking about material

fnancial statement raud, it is likely

that senior management either

knows about it or has caused

it by putting so much pressure

on employees.

Scott Taub, Managing Director,

Financial Reporting Advisors


15/55


PricewaterhouseCoopers 2009 Global

Economic Crime Study and the Ernst &

Young2009 European Fraud Survey in-

dicated that sta reductions were likely

to lead to inattention to normal fnan-

cial control procedures and thus resultin a greater risk o raud.

Rationalization of fraud. Individuals

who commit fnancial reporting raud

possess a particular mindset that al-

lows them to justiy or excuse their

raudulent actions. CAQ discussion participants empha-

sized that personal integrity is critical in determining

whether an individual will be prone to rationalize raud.

However, as the pressure or incentive increases, individuals

may be more likely to construct some rationalization orraudulent actions. For instance, in an environment o ex-

treme pressure to meet corporate fnancial goals, members

o management or other employees may conclude that they

have no choice but to resort to raud to save their own jobs

or the jobs o others, or simply to keep the company alive

until the turnaround comes.

Where the motivation or raud is

more altruistic than personalto save

jobs or keep the company aoatthe

pressure to commit raud also can be-

come the rationalization or it. The

process o rationalization, like the slip-

pery slope to raud, oten starts with

justiying a small nudge to the bound-

aries o acceptable behavior but then

deteriorates into a wholesale loss o

objectivity. However, discussion participants noted that i

employees understand that violations o the companys

ethical standards will not be tolerated and i they see se-

nior management living by strict ethical standards and

consistently demonstrating high integrity, raudulent be-

havior becomes dicult to rationalize.

Who Commits Fraud

The three sides o the raud triangle are interrelated. Pres-

sure can cause someone to actively seek opportunity, and

pressure and opportunity can encourage rationalization. At

the same time, none o these actors, alone or together, nec-

essarily cause an individual to engage in

activities that could lead to raud. So

what exactly is the profle o the person

who commits raud?

Theoretically, anyone has the po-

tential to engage in raud, and in actsome individuals who commit raud

previously had reputations or high in-

tegrity and strong ethical values. When

pressures make individuals desperate

and opportunity is present, fnancial

reporting raud becomes a real possi-

bility. As one o the CAQ discussion participants observed,

most people who commit raud do not start with a con-

scious desire to do so: They end up there because the

world they are operating in has led them to a challenge be-

yond their capabilities.Participants in the CAQ roundtable discussions also

underscored that the greatest risk o fnancial reporting

raud relates to what has been called the Achilles heel

o raudthe possibility o management override o con-

trols.7 Management is in a unique position to perpetrate

raud because it possesses the power to override controls,

manipulate records, and acilitate

collusion by applying pressure to em-

ployees and either enlisting or re-

quiring their assistance.

In some situations, senior leadersdo not perpetrate a raud directly, but

instead are indirectly responsible be-

cause they put inordinate pressure on

subordinates to achieve results that

are impossible without cooking the

books. At lower levels in the organization, individuals

may not initially realize that they are committing raud,

but instead see themselves as simply doing what is ex-

pected to make their numbers or responding to the re-

quest o a supervisor.

POINT TO PONDER

Even under extreme pressure, only a small percentage of senior

management actually commits fraud. Why do some buckle un-

der pressure, and others not? Why and how do good people

start down the slippery slope to fraud? Is it a function of cir-

cumstances? Or is it a fundamental character aw?

The greatest risk o manipulation

o fnancials is when management

creates an impression that [the

manipulation] is needed or expected

. . . Most o the people committing

raud are not doing it or personalgain. They are doing it because they

eel it is necessary and appropriate.

Norman Marks,Vice President,

Governance, Risk and Compliance,

SAP BusinessObjects

The presence o a process to deter

raud doesnt eliminate the threat

o people acting raudulently.

Charles M. Elson, JD,

Edgar S. Woolard, Jr. Chair,

Professor of Law and Director of the

John L. Weinberg Center for Corporate

Governance, University of Delaware


16/55


Participants in the Financial Reporting Supply

Chain and Their Roles in Mitigating the Risk

of Financial Reporting Fraud

Management, boards o directors, audit committees, inter-

nal auditors, and external auditors are all key players in thepublic company fnancial reporting process, or supply

chain,8 with complementary and interconnected roles in

delivering high-quality fnancial reporting, including the de-

terrence and detection o raud.

Management

Members o management have the oremost role in the f-

nancial reporting process, with primary responsibility or

the deterrence and detection o fnancial reporting raud.

They are responsible or the maintenance o accurate books

and records and the design and implementation o an eec-tive system o internal control over fnancial reporting. They

are also responsible or evaluating and managing the

companys business risks, including the risk o fnancial re-

porting raud, and then implementing and monitoring com-

pliance with appropriate internal controls to mitigate those

risks to an acceptable level.

Shared Responsibility to the Investing Public for Mitigating the Risk of Financial Reporting Fraud

ManagementPrimary responsibilityfor financial reporting

process

InternalAudit

Objectiveassurance

Principal Anti-Fraud Role

Oversight of tone at the top,

financial reporting, internal &

external auditor

Solid knowledge of industry/business

Understanding of fraud risks

Independence and objectivity

Ability to challenge management,

the board, and the audit committee

Assess fraud risks as part of audit

planning and execution

Strong tone at the top

Maintenance of effective

internal controls

Robust fraud risk management

program

Financial Reporting Supply Chain

Boardand Audit

CommitteeGovernance and

oversight

ExternalAudit

Externalindependent

attestation

EffectiveCommunication

Independence and objectivity

Ability to challenge management,

the board, and the audit committee

Assess fraud risks and monitor controls

Skepticism

In the case o fnancial reporting raud, critical controls

start with the ethical tone at the top o the organization

and include a strong code o ethics, raud awareness train-

ing, hotline reporting mechanisms, monitoring tools, and

processes to investigate, evaluate, and, where necessary,

punish wrongdoing.Senior management reports to the board o directors, with

specifc reporting to the audit committee on matters related

to fnancial reporting and the risk o fnancial reporting raud.

While members o management have the oremost role in

preventing and detecting raud, they typically are involved

when material fnancial reporting raud does occur. Accord-

ing to CAQ discussion participants, in these situations, man-

agement is usually ound ignoring the companys code o

conduct and overriding internal controls. As a consequence,

the roles o other parties in the fnancial reporting supply

chain are critical in adequately addressing the risk o fnancialreporting raud.

Boards of Directors and Audit Committees

As discussed in detail in several publications rom the

NACD,9 the board o directors and audit committee o a pub-

lic company have ultimate responsibility or oversight o the


17/55


business, including risk management

and the fnancial reporting process.

The report o the NACDBlue Ribbon

Commission on Risk Governance, like

the Internal Control Framework devel-

oped by COSO, recognizes that theoundation or eective governance is

board members who are objective, ca-

pable, and inquisitive, with a solid

knowledge o the companys industry,

business, and control environment.

CAQ discussion participants stressed that audit committee

members should have industry and entity knowledge, includ-

ing a strong understanding o the economics o the business,

in order to identiy and understand business and fnancial

risks that may increase the likelihood o raud.

The audit committee is responsible or overseeing the f-nancial reporting process and controls, the internal audit

unction, and the external auditors, including the appoint-

ment o the companys external auditor. It oversees manage-

ments implementation o policies that are intended to oster

an ethical environment and mitigate fnancial reporting risks.

In this process, the audit committee has the responsibility to

see that management designs, documents, and operates e-

ective controls to reduce the risk o fnancial reporting raud

to an acceptable level. The Sarbanes-Oxley Act also makes

the audit committee responsible or establishing mecha-

nisms or the receipt, retention, and treatment o complaintsreceived by the company regarding accounting, internal ac-

counting controls, or audit matters, and confdential, anony-

mous submissions by employees o concerns regarding

questionable accounting and auditing matters (generally re-

erred to as the ethics or whistleblower program).

In addition, it is increasingly common or the audit com-

mittee to have a link with the compensation committee

through overlapping members, joint meetings, or atten-

dance o the audit committee chair at certain compensation

committee meetings. The objective o this process is to sat-

isy both committees that the executive compensation struc-ture provides sound incentives or achieving corporate

strategies without unintentionally providing motivations or

raud or other unethical behavior. The ocus on compensa-

tion structures will likely increase as a result o legislation

and regulatory rules regarding corporate compensation pol-

icies and practices.

Internal Audit

Not all public companies have an inter-

nal audit unction. However, where

companies have an internal audit de-

partment, that group is described by

The IIA as an independent, objectiveassurance and consulting activity de-

signed to add value and improve an or-

ganizations operations.10 According

to IIA standards, internal auditors

should be independent o the activities

they audit and ree rom intererence in the conduct o their

activities, and should exercise due proessional care. Func-

tionally, the chie audit executive commonly reports to the

audit committee, with administrative reporting most oten

to the chie executive ocer, general counsel, or chie fnan-

cial ocer.Under IIA standards, internal audit is responsible,

among other things, or evaluating the eectiveness o the

companys risk management, control, and governance pro-

cesses. CAQ discussion participants noted that internal au-

ditors with such responsibilities should have sucient

knowledge to evaluate the risk o raud and the manner in

which it is managed by the organization.

Internal auditors also are responsible or evaluating risk

exposures related to the reliability and integrity o fnancial

inormation, and specifcally the potential or the occur-

rence o raud and how the organization manages raudrisk. In this process, internal audits role typically includes

communicating to the board, audit committee, and manage-

ment that internal controls, including controls to deter and

detect raud, are sucient or the identifed risks, and veri-

ying that the controls are unctioning eectively.11

Internal audit also may assist management in identiying

and assessing risks and the control environment.

In addition to these duties, internal audit may be involved

in monitoring the whistleblower program, assessing compli-

ance with the entitys code o ethics, and other activities in

support o the organizations ethical culture.

External Audit

External auditors are independent o the organization they

audit and provide a public report on the companys annual

fnancial statements. Generally, or U.S. listed companies

with $75 million or more in capitalization, the audit also

includes an opinion on the eectiveness o the internal

Most fnancial statement raud

involves senior management o the

companyeither directly, because

they are the perpetrators, or

indirectly, because they have

imposed difcult-to-reachperormance goals.

Michael Oxley, Former Member of

Congress; currently Of Counsel,

Baker & Hostetler LLP


18/55


controls over fnancial reporting that management has im-

plemented to address the risk o material misstatements in

fnancial statements.

External auditors report directly to the audit commit-

tee, which engages them and oversees the conduct o the

audit. Under PCAOB auditing standards, an audit is a de-tection mechanism specifcally designed to assess raud

risk and detect material raud: An [external] auditor has a

responsibility to plan and perorm the audit to obtain rea-

sonable assurance about whether the fnancial statements

are ree o material misstatement,

whether caused by error or raud.12

Due proessional care and skepti-

cism are undamental principles in ev-

erything an external auditor does. As

part o their proessional responsibili-

ties, external auditors are required todiscuss with the audit committee, as

applicable, matters such as, but not

limited to, those that may enter into

the evaluation o the risk o fnancial

reporting raud, the adjustments that

resulted rom the audit, the auditors

judgment on the quality o the entitys

accounting principles, signifcant accounting estimates,

material weaknesses or signifcant defciencies in internal

controls identifed during the audit, and disagreements

with management, i any.13 Because o their experiencewith a variety o companies, external auditors also are o-

ten in a position to provide useul perspectives on best

practices in fnancial reporting and controls, including the

mitigation o raud risks.

Themes Related to Deterrence and Detection

The participants at the CAQ roundtable discussions and in-depth interviews agreed that pressure, opportunity, and ra-

tionalization are indeed key catalysts or fnancial reporting

raud. They also agreed that senior management has the pri-

mary responsibility or deterring and detecting raud, work-

ing in concert with the board o

directors and audit committee and the

internal and external auditors.

A undamental underpinning o any

companys eorts to deter and detect

raud is a robust system o internal con-

trol. All key players in the fnancial re-porting supply chain have some

responsibility with respect to internal

control systems. However, the risk o

management override o internal con-

trols and other actors means it is not

enough to ocus only on the design o a

companys system o internal control.

Thus, the crucial question is how the key players in the f-

nancial reporting supply chain, both individually and collec-

tively, can eectively mitigate the risk that the three orces

in the raud triangle will lead to fnancial statement raud.Three themes or categories o raud deterrence and de-

tection measures emerged rom the CAQs discussions and

Deterring and Detecting Financial Reporting Fraud

Because of the inherent limitations on the effectiveness of controls and the possibility for the override of controls, the risk of fraud

can be mitigated but not completely eliminated. Therefore, companies typically employ two strategies to mitigate fraud risks:

controls that focus primarily on deterring potential fraud and controls to detect fraudulent activity.

Controls to deter fraud, such as a strong ethical tone at the top and a proactive fraud management program, are highly visible

in the organization and are designed to ascertain and mitigate the forces that can enable fraud.

Detective controls generally operate in the background and focus on the timely identication of fraud that has occurred.

Examples of detective controls include:

Process controls such as reconciliations and physical count

Technology tools to identify anomalies in accounting entries or activity

Regular management or internal audit reviews of areas of activity (such as accounting estimates) susceptible to manipulation

Some controls, such as a whistleblower program, both deter fraud by their presence and help detect incidents of fraud.

Its quite plausible or senior

management to rationalize

raudulent behavior: We are not

hurting anybody, we are not

spending any money, we are

protecting jobs, we think the

business is going to turn around

next year. We are just making sure

that we are still here next year

when the turnaround comes.

David Alexander, Director of

Forensic Services, Smith and Williamson


19/55


interviews. These themes highlight the actions some com-

panies already are taking to address the risk o fnancial re-

porting raud and stimulate thinking about other potential

approaches that may counter one or more o the motivators

in the raud triangle. These same themes are also reected in

recent research on the deterrence and detection o fnancialreporting raud.

First, the tone at the top, as it is reected throughout a

companys culture, is the primary line o deense and

one o the most eective weapons to deter raud

Second, skepticism, or a questioning mindset on the part

o all key participants in the fnancial reporting process,

is a vital tool in evaluating raud risk and in deterring

and detecting potential fnancial reporting raud

Third, strong communication and active collaboration

among all key participants are essential to a thorough

understanding o the risks o fnancial reporting raud

and to an eective anti-raud program

In developing specifc next steps to advance eorts to deter

and detect fnancial reporting raud, it is instructive to o-

cus on how each o the key groups in the fnancial report-

ing supply chain can embrace these themes in order to help

mitigate the risk o fnancial reporting raud. The ollowing

chapters discuss each o the themes and the related re-

sponsibilities o each stakeholder groupmanagement,

boards and audit committees, internal auditors, and exter-

nal auditors.


20/55


C H A P T E R2

In both the CAQs roundtable discussions and in-depth in-

terviews, participants were unanimous that an organiza-

tions ethical culture is a decisive actor in mitigating the risk

o raudulent fnancial reporting, and that the corporate cul-

ture can either deter fnancial reporting raud or implicitly

condone it. Similarly, the PricewaterhouseCoopers U.S. Sup-

plement to the 2009 Global Economic Crime Survey ound

that 72 percent o the responding executives identifed is-

sues relating to corporate culture as the root cause o in-

creased economic crime.

A strong ethical culture starts with an organizations

most senior leaders (thus the phrase tone at the top) and

cascades down through the entire organization to create

in the words o several participants in the CAQ roundtablesand interviewsa mood in the middle and a buzz at the

bottom that reects and reinorces the companys operat-

ing values. Boards and audit committees, along with inter-

nal auditors, play vital roles in building and sustaining the

organizations ethical culture.

Corporate culture inuences all

three sides o the raud triangle. A

strong ethical culture creates an ex-

pectation o doing the right thing

and counteracts pressures to push

the envelope to meet short-termgoals. Likewise, an ethical culture

typically supports well-designed

and eective controls that diminish

opportunities or raud and increase

the likelihood that raud will be de-

tected quickly. A culture o honesty

and integrity can severely limit an

individuals ability to rationalize

raudulent actions. However, i an employee is motivated by

personal reasons such as greed or fnancial need, he or she

may be impervious to the inuence o corporate culture.

Culture and Management

O all the groups with a role in the fnancial reporting supply

chain, management has the most crit-

ical role, because it is responsible or

setting the tone at the top and estab-

lishing the culture and designing the

systems that drive the organization.

In the opinion o CAQ discussion par-

ticipants, companies successul in

building an ethical culture that deters

raud do so through a dual approach.

First, they clearly state their ethical

standards, and second, senior man-

agement visibly lives by those stan-

dards every day and reinorces them

through the entire organization with

appropriate systems and processes.

The processes and criteria by which

Tone at the TopThe Power of Corporate Culture

Tone at the Top Does Matter

The Integrity Survey 20082009, conducted by KPMG LLP,found that among companies with a comprehensive ethics

and compliance program, 90 percent of the respondents

described the environment as one where people feel mo-

tivated and empowered to do the right thing. In compa-

nies without a comprehensive ethics and compliance pro-

gram, only 43 percent gave that response.

Tone at the top is a level o

commitment to integrity, to doing

the right thing at all costs despite the

consequences such action may have on

fnancial perormance. Actions speak

louder than words. Observing howleaders make decisions and act on a

day-to-day basis is the most convincing

evidence about the cultural

reality at a company.

Mark S. Beasley, Ph.D.,

Deloitte Professor of Enterprise Risk

Management and ERM Initiative Director,

North Carolina State University


21/55


management makes decisions are crucial as they signal to

the organization what is truly valued.

CAQ discussion participants stressed that an organiza-

tions tone at the top reects its commitment to deterring

and detecting raud. I employees understand the organiza-

tions ethical expectations, believe that misconduct will notbe tolerated, and see their senior leaders adhering strictly to

the code o conduct, they are less likely to succumb to temp-

tations to commit raud and are more likely to report raud i

they see it. Its all about the example set by leadership, at all

levels. In other words, the key is to walk the talk.

The TalkClear Policies and Messaging. According to

CAQ discussion participants, to be eective, a companys

ethical policies and standards should

be unambiguously clear throughout all

levels o the organization and in allgeographic locations. It is senior lead-

erships responsibility to communicate

these messages and continually rein-

orce them in a way that permeates

through the entire organization. Em-

ployees need to hear the same mes-

sages not only rom top leaders but

also rom their direct supervisors. As

several participants in the CAQ round-

tables and interviews pointed out,

frst-line supervisors have the mostpowerul and direct inuence on the

ethical judgments o employees. It is

vital that the mood in the middle among these supervisors

echo the companys talk on ethical values, so that the val-

ues become part o the daily conversation and the buzz at

the bottom. Messages should emphasize each employees

duty to report questionable behavior, and perormance

goals and compensation plans should reinorce the prima-

cy o ethical conduct.

The ollowing steps can strengthen an organizations mes-

saging related to ethics and raud deterrence:

Ongoing, consistently branded corporate communications

that are rolled out across multiple orms o media and:

Communicate clear messages about specifc objectives

Make an emotional appeal

Are customized to dierent employee groups,

geographies, and cultures

Are regularly assessed and updated

Periodic ethics training or employees, tailored to the

level and needs o dierent employee groups

Fraud awareness training that educates employees on

the characteristics o raud and the behaviors and other

red ags that may suggest raudulent conduct

Regular reviews o ethics policies to identiy gaps and

incorporate best practices

In addition, management (particularly senior manage-

ment) should be sensitive to the pressures placed on em-

ployees. For example, management needs to consider the

impact o compensation plans and perormance expecta-

tions or employees, particularly in high-pressure situa-

tions. To avoid creating unintended pressure to alsiy re-

sults, managers should be mindul o

the stresses that their employees may

eel in trying to make the numbers,and try to design goals that are realis-

tic and achievable. I the economic en-

vironment or other assumptions or

original goals change, managers

should consider modiying such goals

accordingly.

The WalkActions Speak Louder

Than Words. The talk about ethical

behavior is important, but what really

matters, according to CAQ discussion

participants, is the example set by se-

nior managers in their business and

personal lives. A classic example is Enron, which at one

time was lauded or its code o conduct and corporate gov-

ernance programs, but which lacked leadership commit-

ment to its principles. Moreover, the same standards o

I we tell people we expect you

to hit this number next quarter,

and your bonus depends on it,

that provides an incentive to meet

it or to lie about meeting it.

Nell Minow, Editor and Co-Founder,

The Corporate Library

The choices the top makes

are going to defne whats

acceptable ethically.

David Larcker, Ph.D., James Irvin Miller

Professor of Accounting, Stanford

University Graduate School of Business

Effective Codes of Conduct Are Based on

Principles

Exhaustively detailed codes of conduct encourage acqui-

escence and bureaucracy but fail to inspire employees

with the spirit of ethical behavior. The most effective

codes of conduct function not as rulebooks but as consti-

tutions that detail the fundamental principles, values, and

framework for action within an organization.

LRN, Ethics and Compliance Risk Management, 2007


22/55


behavior should be applied to all

levels o management, rom frst-

level supervisors through the most

senior ranks.

To integrate ethical behavior

into the abric o the companys cul-ture, senior managements operat-

ing policies and decisions should

reect an unwavering commitment

to the companys ethical values. Se-

nior management should hold itsel

and all company personnel strictly

accountable or compliance with

ethical standards, and consequences or violations need to

be consistently applied and clearly communicated.

Annual employee surveys are excellent tools to obtain

eedback on employees understanding and perspective onethics and compliance programs. As suggested by the con-

sulting organization LRN, an eective employee survey

should include questions that go beyond direct ethical issues

and also ask about working conditions and overall job satis-

action, which oten have signifcant ethical implications.

The key is to crat questions that lead employees to comment

on the organizations ethical culture. For example, a question

might ask, do management and supervisors provide inorma-

tion and keep commitments? Responses may indicate wheth-

er management strictly abides by the rules or tends to push

the limits o acceptable behavior.14

Fraud Risk Management Programs. In order to eectively

deter and detect fnancial reporting raud, managements

activities also need to include a com-

prehensive raud risk management

program. Since the oundation or

such a program is strong risk gover-

nance, many participants suggested

that an appropriate member o se-nior management such as the chie

risk ocer, the ethics and compli-

ance ocer, or the general counsel

should have explicit responsibility

or the program, with audit commit-

tee oversight and ongoing monitor-

ing o all o its aspects.

An eectively designed raud risk management program

starts with a ormal assessment o raud risk, which is tai-

lored to the company, is updated annually, and evaluates in-

centives and opportunities to commit raud. It also includesinternal controls specifcally designed to deter and detect f-

nancial reporting raud.

The whistleblower program is one such control. Others

include raud awareness training or employees and robust

controls over the fnancial reporting process. The program

should also include a clear process or prompt investigation

o allegations o raud, along with swit corrective action i

raud is identifed. The organizations response to raud

should send a clear signal that raud will not be tolerated, at

any time, in any place, or by any level o employee.15

The 2010 ACFE Report to the Nations on Occupational Fraud and Abuse ound that, on average, the rauds in the

study continued or two years rom the point they began to

the point they were detected, with some running consider-

Number one is talk the talk and

number two is walk the talk

by continuing to reinorce values in

the discussions with the company

personnel. Whether its letters to the

employees, letters to management,

its an ongoing process, not something

where you paste something on the

wall and walk away rom it.

John Trakselis, CPA, Past President,

Financial Executives

InternationalChicago Chapter

Elements of Effective Fraud Risk Management

A formal fraud risk management program that includes a code of ethics supported by the tone at the top; clear roles and

responsibilities for the board, the audit committee, management, and internal audit; and fraud awareness and reporting train-

ing for all employees

A comprehensive fraud risk assessment that addresses incentives and opportunities to commit fraud and the likelihood and

signicance of each potential fraud risk, including the risk of management override of controls

Activities and controls to deter and detect fraud, including the consideration of fraud risk in the development of the annual in-

ternal audit plan and in the execution of internal audit engagements

Processes for the investigation of potential frauds and for corrective action when necessary

Summarized from Managing the Business Risk of Fraud: A Practical Guide, by American Institute of Certied Public Accountants,

Association of Certied Fraud Examiners, and and The Institute of Internal Auditors, 2008.


23/55


ably longer. Companies need to make continuous improve-

ments in order to increase the likelihood that raud is detect-

ed on a timely basis. The Fraud Risk Checklist published in

2008 by the Financial Executives Research Foundation pro-

vides an example o a structured approach or management

to identiy and mitigate potential risk actors or raudulentfnancial reporting.16

Whistleblower Programs. Many CAQ discussion partici-

pants underscored the importance o a readily accessible

whistleblower reporting mechanism, such as a hotline, to re-

ceive reports o concerns about ethics violations or potential

raud. The 2010 Institute o Internal Auditors Knowledge

Alert onEmerging Trends in Fraud Risks identifed a tool or

confdential reporting as one o the key components o a

raud management program.

The Sarbanes-Oxley Act makesthe audit committee specifcally re-

sponsible or establishing and over-

seeing a confdential reporting

mechanism. To promote its use, the

Act requires that the procedures al-

low or reports to be submitted con-

fdentially and anonymously. In or-

der or the program to be eective,

it is also important that there be a

clear record o non-retaliation. Par-

ticipants emphasized that allega-

tions involving senior management and/or fnancial irregu-

larities should be escalated to the audit committee

immediately. In addition, or the whistleblower program to

have credibility, reported matters should be investigated

promptly, and meaningul penalties should be imposed

when violations are confrmed. Numerous surveys revealthat many employees still ail to report raud or other mis-

conduct because they either ear retaliation or do not be-

lieve that management will do anything to stop the unethi-

cal behavior.17 For that reason, some CAQ discussion

participants suggested that companies consider sharing a

summary o inormation about hotline reports and their

disposition within the organization.

While the participants in the roundtable discussions

noted that a large majority o calls to hotlines relate to rela-

tively minor human resources mat-

ters, a meaningul percentage o re-ports identiy serious misconduct or

raud. According to both the 2010

ACFEReport to the Nations on Occu-

pational Fraud and Abuse and the

2009 PricewaterhouseCoopers sur-

vey, Economic Crime in a Downturn,

raud was much more likely to be de-

tected by tips than by any other

method. The ACFE study reported

that approximately hal o raud tips

came through a hotline when that

Features of a Well-Designed Whistleblower Program

Option for anonymity

Organization-wide (global) and available 24/7, ideally by telephone, with professionally-trained interviewers in all local languages

Single hotline for all ethics-related issues

Dual dissemination of the information received so that no single person controls the information, with criteria for immediate escala-

tion where warranted, and for notication of the audit committee when nancial irregularities or senior management are involved

Case management protocols, including processes for the timely investigation of hotline reports and documentation of the results

Management analysis of trends and comparison to norms

Data security and retention policies and procedures

Customization to comply with the laws of foreign jurisdictions and to address cultural differences

Ongoing messaging to motivate everyone in the organization, as well as vendors, to use the hotline

Summarized from Best Practices in Ethics Hotlines, T. Malone and R. Childs, The Network, 2009

Boards and audit committees should

set a culture in the organization

o highly ethical behavior and

communicate to those within the

organization that i there is a problem,

a vehicle exists or those inside the

organization to report it in an

anonymous way so that they

dont eel jeopardized.

Michael A. Moran, Vice President,

Global Markets Institute,

The Goldman Sachs Group, Inc.


24/55


mechanism was available, and . . . 63 percent o the hotline

reports involved raud by a manager or executive. The

PricewaterhouseCoopers report ound that 48 percent o

rauds were discovered as a result o tips or hotline reports

and concluded: Whistle blowing is a tangible example o a

beneft that companies can realize rom building a culturewhere raud is not tolerated and those that report it have

no ear o retaliation.

POINT TO PONDER

The Dodd-Frank Act of 2010 directs the SEC to reward whis-

tleblowers. Because tips are an eective means for identifying

misconduct, should companies consider a reward system for

tips leading to discovery of fraud?

Challenges of Cross-Cultural Dierences. Public compa-nies are increasingly global in scope, and multinational cor-

porations ace special challenges in trying to oster a

consistent level o ethics across dierent countries and cul-

tures. Instilling a consistent standard o ethical behavior is

much more complex than just translating an ethics code or

raud deterrence program into dierent local languages. It

requires capturing the nuances o meaning in the local lan-

guage and tailoring policies to local customs, as well as de-

termining that controls are implemented and compliance

consistently monitored despite geographic distance. Creat-

ing a uniorm ethical culture also means evaluating culturaldierences that may create pressures, opportunities, or ra-

tionalizations or raud that are dierent rom those typical

in the United States.

For example, it may be necessary to explain how the

organizations policies are more restrictive than the law or

common practice in a particular country. Certain expecta-

tions or behavior, such as a prohibition on acilitation

payments, may be more restrictive

in the United States than what is

normally acceptable in another ju-

risdiction. As one CAQ discussionparticipant pointed out, Process

bridges cultures. Checks and bal-

ances, transparency, and process

will be more successul than any

speech on ethics.

Culture and Boards and Audit Committees

Under the Sarbanes-Oxley Act, audit committee members

must be independent o management and must have a desig-

nated fnancial expert or explain why they do not. In addi-

tion, the audit committee is responsible or oversight o the

confdential whistleblower program and or engaging and

overseeing the external auditors. These responsibilities,

along with the role o the board and audit committee in

overseeing risk management, give boards and audit commit-

tees a central role in an organizations eorts to discourage

and uncover raud.

Among other things, boards and audit committees play a

key role in reinorcing an appropriate tone at the top or

both corporate conduct and risk management by making

ethical conduct an overriding priority, including establish-

ing a code o ethics specifcally or the board that is consis-

tent with the corporate code. CAQ discussion participants

emphasized that the board and audit committee should

make themselves visible in the organization as proponents

o high ethical standards. Most importantly, the board and

the audit committee support the tone at the top by putting

the right senior management team in place as their repre-

sentatives to the organization.

Boards and audit committees have the responsibility to as-

sess the integrity o senior management on an ongoing basis.

In particular, audit committees should be aware o and moni-

tor the risk o management override o internal controls as apart o their oversight o the fnancial reporting process. Au-

dit committees should pay specifc attention to leveraging

the internal audit unction. According to 45 percent o the

respondents to the 2009 Global Integrity Survey by Compli-

ance Week and Integrity Interactive Corporation, internal

audit plays an essential role in gauging the overall level o in-

tegrity and ethics within a company. Another 33 percent indi-

cated that internal audit contributes

to this eort.

Executive compensation.Boards(through their compensation and

audit committees) should evaluate

whether incentive compensation

plansespecially those or senior

managementare aligned with the

companys ethical values and long-

The audit committee needs to set the

tone at the top. It should make it clear

to management and the auditors thatthere is only one standard or how

we do things, and that is the

right wayand that doesnt mean

the right way only i its material.

J. Michael Cook, Audit Committee

Chair, Comcast Corporation


25/55


term business goals. However, the

2009 Global Integrity Survey noted

that hal o the respondents said

they dont tie integrity to executive

compensation. Because incentive

structures can inuence the ethicalenvironment within organizations,

several o the CAQ discussion par-

ticipants stated that links between

compensation and audit committees

should be strengthened. Additional-

ly, the audit committee may consider evaluating the peror-

mance and compensation o the chie audit executive as

well as employment or termination decisions or both the

chie fnancial ocer and chie audit executive.

POINT TO PONDERHow can the board and audit committee identify when a pre-

viously strong tone at the top starts to shift and morph into

something more receptive to inappropriate risk-taking or

behavior?

Culture and Internal Audit

The internal audit unction has a key role in communicating,

reinorcing, and evaluating the ethical culture o an organi-

zation, including testing compliance

with anti-raud programs and other

controls. Internal auditors can be ex-

tremely valuable as eyes and ears

or management as well as or the

board and audit committee. Themore substantive and visible their ac-

tivities to support ethical standards

and assess the risk o raud, the great-

er their impact will be.

According to The IIA, a best

practice or internal audit departments is to have a direct

line o reporting to the audit committee. Along those

lines, it is encouraging that 84 percent o respondents to a

2009 survey by the global internal auditor community

AuditNet indicated that the chie audit executive had un-

restricted direct access to the audit committee.18

To be eective, the internal audit sta should be knowl-

edgeable and experienced, with the necessary expertise and

tools, including raud detection training and raud specialists

on sta, where possible. Moreover, the ability o internal au-

dit to support the deterrence and detection o fnancial re-

porting raud depends on the board and senior management

sending a clear message on the importance o internal audit

activities (or instance, by requiring all levels o management

to respond to internal audit inquiries and fndings).

Compensation goals are good when

they balance short-term and long-term

goals and objectives, and they look at

the behavior that someone who is

striving to achieve that goal is going to

exhibit. Overemphasis on short-termgoals can create incentives that do not

oster ethical behavior.

Kathy Swain, Vice President, Internal Audit,

The Allstate Corporation

Ten Principles for Effective Board Oversight of Risk

The 2009 report of the NACD Blue Ribbon Commission on Risk Governance identies the following ten principles for effective

board oversight of a companys risk management system. These principles are intended to serve as a foundation for a compre-

hensive risk management system tailored to the specic characteristics and needs of each individual company:

1. Understand the companys key drivers of success.

2. Assess the risk in the companys strategy.

3. Dene the role of the full board and its standing committees with regard to risk oversight.

4. Consider whether the companys risk management system is appropriate and has sufcient resources.

5. Work with management to understand and agree on the types of risk information the board requires.

6. Encourage a dynamic and constructive risk dialogue between management and the board, including a willingness

to challenge assumptions.

7. Closely monitor the potential risks in the companys culture and its incentive structure.

8. Monitor critical alignments of strategy, risks, controls, compliance, incentives, and people.

9. Consider emerging and interrelated risks to help prepare for whats around the corner.

10. Periodically assess the boards risk oversight processes.


26/55


One o internal audits roles is to challenge the design o

a companys internal controls and to monitor their eec-

tiveness, particularly in major risk areas. In some organiza-

tions, internal audit is tasked with managing the compli-

ance and ethics program. Whether or not they manage the

program directly, internal audit should consider issuesraised through the program in the context o their role re-

lated to fnancial reporting raud. Commonly, internal au-

dit is charged with working with the audit committee in

administering the program and determining that any re-

sponse is rapid and appropriate.

Beyond these specifc responsibilities, The IIAs Research

Foundation, in a recent book by James Roth, Best Practices:

Evaluating the Corporate Culture, has suggested that the great-

est value that internal audit can provide is in the evaluation o

sot controls, which are the inormal, intangible levers o

control such as tone at the top, the organizations ethical cli-mate, and managements philosophy and operating style

that, taken together, constitute the corporate culture. The

particular ocus should be on identiying any gaps between

the companys stated ethical and cultural values and the way

the company actually operates. Roth presents various case

studies to support his conclusion that root cause analysis o

major rauds and business ailures leads inevitably to the cul-

ture o the organization, and that serious weaknesses in or-

mal or hard controls usually have a sot control weakness as

the underlying root cause. The evaluation o sot controls

hinges on gathering employee perceptions and confrmingwhether they are accurate.

POINT TO PONDER

If internal audit is expected to assess and challenge the tone at

the top of a company, is the function structured properly to

maintain its objectivity? For example, if the career path of

most internal audit sta (including in some cases the chief au-

dit executive) is to rotate back into the mainstream organiza-

tion, is there a conict of interest that potentially compromises

objectivity?

Culture and External Audit

Proessional standards require the external auditor to obtain

an understanding o the companys system o internal con-

trol as part o the audit planning process. To this end, an au-

ditor considers several actors such as managements

philosophy and operating style (including the integrity and

ethical values practiced by management), the companys

commitment to competence, the eectiveness o the board

and audit committees oversight, and the companys human

resource policies and practices (including compensation ar-

rangements). These actors encompass the auditors evalua-

tion o an organizations tone at the top and overall corporate

culture, including incentives or pressures that may exist or

management to engage in raudulent fnancial reporting.

This evaluation is an important consideration in the audi-

tors overal

caq (2010) anti fraud report

Documents